Port MASTG-TEST-0027 (Testing for URL Loading in WebViews) to MASTG v2#3570
Port MASTG-TEST-0027 (Testing for URL Loading in WebViews) to MASTG v2#3570
Conversation
…th demos Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
…check Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
@copilot redo the demo MASTG-DEMO-0050 which is for MASTG-TEST-0315, something went wrong and it doesn't have the expected files. After that please rename all tests and demos to dummy IDs, e.g. MASTG-TEST-03x1, MASTG-TEST-03x2, MASTG-DEMO-03x1, etc. We'll assign the real IDs before merging. This will avoid conflicts. |
…to dummy IDs Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
Done! I've recreated MASTG-DEMO-03x3 (previously MASTG-DEMO-0050) with proper Frida-based dynamic analysis for MASTG-TEST-03x3, and renamed all tests and demos to dummy IDs: Tests:
Demos:
Commit: 581b90b |
serek8
left a comment
serek8
left a comment
There was a problem hiding this comment.
All looks great, I am just not sure about the dynamic demo and left come comments @cpholguera
|
|
||
| - URLs are logged but not validated against an allowlist of trusted domains. | ||
| - All URLs are allowed to load (return value is `false` for `shouldOverrideUrlLoading`). | ||
| - No checks for external domains or malicious content. |
There was a problem hiding this comment.
No checks for external domains
is the same as the first bullet point
URLs are logged but not validated against an allowlist of trusted domains
| - No checks for external domains or malicious content. | |
| - No checks for malicious content. |
|
|
||
| The test **fails** because the implementation does not perform any URL validation: | ||
|
|
||
| - URLs are logged but not validated against an allowlist of trusted domains. |
There was a problem hiding this comment.
Not sure how it was evaluated dynamically that URL is not validated against an allowlist. This is a dynamic test so maybe it would be better to open a malicious URL and then see if shouldOverrideUrlLoading and shouldInterceptRequest block the request to prove validation. The same with the content. Maybe we can try to have a website with some SQL/JS injection and then see if it's blocked? Not sure exactly how we can demo it dynamically but for now the evaluation looks more related to static testing. cc: @cpholguera
This PR closes #3333
Description
Ports v1 test MASTG-TEST-0027 to three atomic v2 tests covering WebView URL loading security.
New Tests (using dummy IDs)
WebViewClientURL handlers (shouldOverrideUrlLoading,shouldInterceptRequest)All tests linked to MASWE-0071 (WebViews Loading Content from Untrusted Sources).
New Demos (using dummy IDs)
New Semgrep Rules
mastg-android-webview-url-handlers.yml: Detects WebViewClient implementations andsetWebViewClientcallsmastg-android-webview-safebrowsing-manifest.yml: Detects disabled SafeBrowsing in manifestV1 Deprecation
Updated MASTG-TEST-0027 with
status: deprecatedandcovered_byreferencing new tests.Note: Tests and demos use dummy IDs (03x1, 03x2, 03x3) to avoid ID conflicts. Real IDs will be assigned before merging.
[x] I have read the contributing guidelines.
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.